Preparing Against Current Healthcare Cybersecurity Threats

As more healthcare ransomware cases are reported, it becomes even more apparent that organizations of all sizes can no longer assume that they will never be a target of a healthcare cybersecurity attack.

Covered entities must ensure that they are properly prepared for a potential ransomware or other type of cybersecurity attack, explained Berkeley Research Group Director of Cyber Security and Investigations Chris Tarbell.

There are a few reasons why healthcare ransomware issues are at the forefront recently, according to Tarbell, who is also formerly an FBI agent who worked on its cyber intrusion squad. Healthcare is a regulated industry, and has a requirement to tell its clients when there has been a breach.

Organizations in other sectors, such as a law firm, are not held to the same requirements.

While cases of healthcare facilities being hit with ransomware are making headlines, Tarbell maintained that it’s a rampant issue in all industries and “everyone is getting hit.”

However, healthcare ransomware is a key concern because that information is crucial to individuals’ lives.

If an online store, for example, gets hit with ransomware, then that store will lose business and will likely lose money. The business suffers, and the owner loses money, but that will likely be the end of it, he explained.

“In healthcare, people could be losing lives,” Tarbell warned. “It’s very sensitive data that has to be protected. You’re also seeing a lax in security. You never hear about hospitals hiring high-powered CIOs or CSO. Instead, it’s a guy who’s worked only for the IT department and then got in there.”

The ransomware attackers also see this approach as an easy way to make money, he added. They realize if they can do this to 100 people – or organizations – and if just 10 of them pay a ransomware of $3,000, that’s a good profit.

How endpoint security poses new cybersecurity risks

Endpoint security has definitely affected the way that healthcare organizations should approach their cybersecurity measures, according to Tarbell.

“Normally the endpoint is just communicating with one point and going into the server, and the information is being collected in that data base,” he explained.

However, technologies have now evolved into including laptops with USB ports or network ports. The medical industry is rampant with endpoints like this, and they can often be left unsecured. Even if done inadvertently, this could still create data security issues.

“We allow visitors into hospitals,” Tarbell said. “We’re giving them digital access to our networks. The more and more things coming out, these little devices, they’re called inline key loggers. So, I could plug into the back of the computer and then I plug the keyboard into it.”

From there, a device could beacon out all of the keystrokes, including usernames and passwords, collecting them.

Endpoint security is more than just locking a computer, Tarbell maintained.

“[Endpoint security] is maintaining control of the entire machine that’s sitting in the patient room,” he explained. “And that’s very difficult because you want business continuity for the nurses, and the doctors to access medical records and to enter medical records right there in the patient’s room. But, you’re also relying on the physical security that the family isn’t nefarious in some sort of way.”

Overall, the physical security of the endpoint devices is a huge problem that hospitals need to address and need to think about, he added.

Working to protect against evolving healthcare cybersecurity threats

Healthcare organizations need to find a reputable company to perform cybersecurity assessments, according to Tarbell.

A hospital’s Wi-Fi, for example, could potentially create problems if a malicious attacker tried hard enough. While the Wi-Fi likely is not touching or connected to the hospital records network, a third-party could logon to the Wi-Fi from the cafeteria. From there, if he or she can find a connection across there, then they have access to patient records.

“Make sure your networks are segmented,” Tarbell cautioned. “Hire companies to do assessments on your networks. Hire outside parties to make sure the IT team is up to speed. A lot of these IP guys, they’re about business continuity. Getting the information to the patients, to the doctors, to the nurses who are needed, and just keeping the hospital running.”

And that is exactly what they are hired for, he maintained. Hospitals don’t really have security teams that make sure those endpoint connections are safe, and that the wireless connection doesn’t bleed over. However, involving some sort of security consciousness into the network is essential for healthcare organizations.

“It’s definitely a lot cheaper than your hospital losing the network for a few days just to assess your network,” he said. “And that should happen on a regular basis, just like changing the oil in your car.”

Moreover, Tarbell suggested that as technologies are added, endpoints removed, and new servers are implemented into a system, organizations should assess that these were done correctly. Ensure that a firewall wasn’t left open, or that a default username or password was not left on a machine.

The current state of healthcare cybersecurity

Healthcare had a big wakeup call in 2015 in terms of its cybersecurity, according to Tarbell, adding that it was the “year of the hacker hospitals.”

“They’re a long way from being secure,” he said. “They’re starting to realize that they are a big target now, and it’s going to be on an upward trend of getting some security in there. But 2015 was the baseline.”

Adding security measures after the fact can often help create problems, he maintained. Essentially, the network inside of a hospital is no different than the internet. The internet was created by a bunch of academics who wanted to share information freely.

However, then nefarious individuals got in and said, ‘Hey, we can steal this information,’ Tarbell warned.

“So, they slapped security on top of the existing internet. That doesn’t necessarily work well,” he stated. “Hospital networks are the same way. We have this infrastructure, we have it going around and now we’re trying to tighten the screws down for security reasons. As soon as doctors don’t get the right information in a timely manner, the screws get loosened.”

Those in the industry are starting to take notice though, Tarbell added.

“Hospital administrators are realizing they’re going to have to pay a certain amount of money because now the government is regulating hospital records and hospital networks. But, we have a lot of work ahead of us.”